b0556a15fd8fccd6c04c972e5178e95112ab6674a06958ee33644e3c639252db

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76646c24350afced1ee0979caf83fc4f.exe
Size

323KB
MD5

76646c24350afced1ee0979caf83fc4f
SHA1

0235676f58db067e07d82af4de176f7830627b06
SHA256

b0556a15fd8fccd6c04c972e5178e95112ab6674a06958ee33644e3c639252db
SHA512

d2c2d6abe6c4c1c459f818b76cf556551f5453c84a2d371a5f5983a4cd64a57bbe9a100191369e128de4370e04e44f3c039eef92bcb498242d9a5efe99b4ef66
SSDEEP

3072:2B8Nu8xX7O+7GVlT9At9gMNNy9sEeR7Kw1lmGSKM4hMpCqgCCcxXbsPC35ynqoRh:E8Nu8Q+CVGmGtn2tpCtMflokFnxKV

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	yjekpa.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	76646c24350afced1ee0979caf83fc4f.exe
1668	76646c24350afced1ee0979caf83fc4f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\{99FD42C8-CEFB-AD4E-9644-6D1A8CD24E07} = "C:\\Users\\Admin\\AppData\\Roaming\\Byef\\yjekpa.exe"	yjekpa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	76646c24350afced1ee0979caf83fc4f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	76646c24350afced1ee0979caf83fc4f.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe
2324	yjekpa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1668	76646c24350afced1ee0979caf83fc4f.exe
2324	yjekpa.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2324	1668	76646c24350afced1ee0979caf83fc4f.exe	28
PID 1668 wrote to memory of 2324	1668	76646c24350afced1ee0979caf83fc4f.exe	28
PID 1668 wrote to memory of 2324	1668	76646c24350afced1ee0979caf83fc4f.exe	28
PID 1668 wrote to memory of 2324	1668	76646c24350afced1ee0979caf83fc4f.exe	28
PID 2324 wrote to memory of 1068	2324	yjekpa.exe	11
PID 2324 wrote to memory of 1068	2324	yjekpa.exe	11
PID 2324 wrote to memory of 1068	2324	yjekpa.exe	11
PID 2324 wrote to memory of 1068	2324	yjekpa.exe	11
PID 2324 wrote to memory of 1068	2324	yjekpa.exe	11
PID 2324 wrote to memory of 1100	2324	yjekpa.exe	10
PID 2324 wrote to memory of 1100	2324	yjekpa.exe	10
PID 2324 wrote to memory of 1100	2324	yjekpa.exe	10
PID 2324 wrote to memory of 1100	2324	yjekpa.exe	10
PID 2324 wrote to memory of 1100	2324	yjekpa.exe	10
PID 2324 wrote to memory of 1132	2324	yjekpa.exe	8
PID 2324 wrote to memory of 1132	2324	yjekpa.exe	8
PID 2324 wrote to memory of 1132	2324	yjekpa.exe	8
PID 2324 wrote to memory of 1132	2324	yjekpa.exe	8
PID 2324 wrote to memory of 1132	2324	yjekpa.exe	8
PID 2324 wrote to memory of 1584	2324	yjekpa.exe	5
PID 2324 wrote to memory of 1584	2324	yjekpa.exe	5
PID 2324 wrote to memory of 1584	2324	yjekpa.exe	5
PID 2324 wrote to memory of 1584	2324	yjekpa.exe	5
PID 2324 wrote to memory of 1584	2324	yjekpa.exe	5
PID 2324 wrote to memory of 1668	2324	yjekpa.exe	13
PID 2324 wrote to memory of 1668	2324	yjekpa.exe	13
PID 2324 wrote to memory of 1668	2324	yjekpa.exe	13
PID 2324 wrote to memory of 1668	2324	yjekpa.exe	13
PID 2324 wrote to memory of 1668	2324	yjekpa.exe	13
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29
PID 1668 wrote to memory of 1768	1668	76646c24350afced1ee0979caf83fc4f.exe	29

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1584

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\76646c24350afced1ee0979caf83fc4f.exe
  "C:\Users\Admin\AppData\Local\Temp\76646c24350afced1ee0979caf83fc4f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\Byef\yjekpa.exe
    "C:\Users\Admin\AppData\Roaming\Byef\yjekpa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3ee4050e.bat"
    3⤵
    - Deletes itself
    PID:1768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3ee4050e.bat

Filesize
243B

MD5
5ce2b9018c8b6bd6f33dab537df6dce5

SHA1
0862dc18217cf9bd9d2ad00f082434580efa920f

SHA256
36a0a1c486761401ce7bc4b35ae85141a210d52fea2612cd531a6e424226b94e

SHA512
0c1bb9d5b012973d2203f9b1c5902e0c64f09a8554bec93de653072020f622aa0ea82c81bbce2a35cd6fce759588a10a9f4de6769ae437afcb5fde35a5f587f9

Download Submit
C:\Users\Admin\AppData\Roaming\Byef\yjekpa.exe

Filesize
323KB

MD5
c783f7474a52a64bae7774785ca7fdc5

SHA1
2caad7ee3b2307946420af3f8ee7e73374be3fae

SHA256
84b9b82a56b2362585191604846452e4bcae145e3a8803798e73b7b9ad2d0fa9

SHA512
9d1aa9e670e47a766cf6a16cd5bd0e30553809517745bd94a040c9dfae989d714beb68f152c34ebccabf4387a4de621addb8fed17a7bbbfba3641e6d08af8a53

Download Submit
C:\Users\Admin\AppData\Roaming\Byef\yjekpa.exe

Filesize
270KB

MD5
6f359787506baf5dc0911c7d535d241b

SHA1
9adee1601bb8c6d64fcc2494255735381abab794

SHA256
0bf6eb062eb349a6d88766b71a1d093c93d68f7cd4dd3d890d0b881f3c510266

SHA512
b1d064a540b0b541cc4b017700f48866aabeeb918beb9abfb5b8f2a8679185a7b93fe1d6abcb4f710db454b7dc8b26161d44e0dd4cb55ca8daf10f8b3825802d

Download Submit
memory/1068-21-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1068-23-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1068-25-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1068-27-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1068-17-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1100-31-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1100-33-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1100-32-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1100-30-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1132-42-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1132-40-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1132-36-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1132-38-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1584-45-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1584-46-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1584-47-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1584-48-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1668-53-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/1668-55-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/1668-74-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-172-0x00000000002F0000-0x0000000000344000-memory.dmp

Filesize
336KB

Download
memory/1668-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-1-0x00000000002F0000-0x0000000000344000-memory.dmp

Filesize
336KB

Download
memory/1668-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1668-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-64-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-57-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/1668-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-51-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/1668-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-153-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-77-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/1668-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-275-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1768-175-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1768-177-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2324-18-0x0000000001C80000-0x0000000001CD4000-memory.dmp

Filesize
336KB

Download
memory/2324-16-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2324-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download